[00:05.730 --> 00:08.560]  Welcome back to Career Hacking Village,
[00:08.560 --> 00:10.880]  Hacking Career Village, whatever.
[00:10.980 --> 00:13.200]  As many of you know, I haven't had a lot of coffee yet today
[00:13.200 --> 00:15.260]  and it just doesn't seem like a HackerCon
[00:15.260 --> 00:17.080]  without a shot of tequila.
[00:17.080 --> 00:18.760]  So maybe I'll go do that.
[00:18.760 --> 00:22.340]  In the meantime, a lot of people in our community
[00:22.340 --> 00:26.040]  are frustrated with figuring out how do they go
[00:26.040 --> 00:30.060]  from one job that is non-tech, non-security related
[00:30.640 --> 00:33.040]  into being a security pro.
[00:33.040 --> 00:36.260]  And I'm so thankful that Alyssa Miller decided
[00:36.260 --> 00:40.120]  to tackle this topic and bring to us her insight,
[00:40.120 --> 00:42.200]  her wisdom, and her shared strategies
[00:42.200 --> 00:44.400]  on how we could be successful.
[00:44.400 --> 00:45.280]  Alyssa?
[00:45.460 --> 00:47.200]  Awesome. Well, thank you, Kathleen.
[00:47.200 --> 00:49.940]  And hey, everybody from DEF CON.
[00:50.720 --> 00:54.260]  God, what a weird DEF CON this is this year.
[00:54.340 --> 00:57.880]  Miss seeing all my buds, seeing all my Hacker fam,
[00:57.880 --> 00:59.540]  but here we are.
[00:59.540 --> 01:01.300]  And as Kathleen mentioned,
[01:02.700 --> 01:07.080]  I think we're all kind of familiar with the struggles
[01:07.080 --> 01:10.680]  of trying to find jobs in cybersecurity,
[01:10.680 --> 01:13.540]  especially if you're new and trying to make that transition
[01:14.220 --> 01:18.640]  from one industry into the security industry.
[01:18.900 --> 01:22.000]  And it's something that's very near and dear to my heart.
[01:22.020 --> 01:25.040]  So today I really wanted to go through
[01:25.040 --> 01:26.520]  some strategies with you.
[01:26.520 --> 01:28.280]  Let's talk a little bit about some of the problems
[01:28.280 --> 01:30.700]  that are out there and how we can tackle them,
[01:30.700 --> 01:33.620]  how people who are trying to find that first job
[01:33.620 --> 01:36.680]  in cybersecurity can really jump in
[01:36.680 --> 01:38.580]  and overcome some of those obstacles
[01:38.580 --> 01:41.360]  that unfortunately exist in the industry today.
[01:41.700 --> 01:43.480]  So to get things started,
[01:43.480 --> 01:45.320]  let me just share a little bit about myself.
[01:45.400 --> 01:47.520]  First of all, for those of you that don't know me,
[01:47.520 --> 01:48.540]  my name is Alyssa Miller,
[01:48.540 --> 01:51.080]  and I'm a hacker and a researcher first and foremost.
[01:51.120 --> 01:52.880]  I've been hacking all my life,
[01:52.880 --> 01:55.880]  bought my first computer when I was 12,
[01:55.880 --> 01:59.440]  did some things of questionable legality
[01:59.440 --> 02:01.660]  with some online services.
[02:01.940 --> 02:04.180]  And it's kind of been that way ever since.
[02:04.180 --> 02:05.560]  You know, I taught myself how to program.
[02:05.560 --> 02:07.160]  I taught myself about modem communications
[02:07.160 --> 02:09.220]  and sort of dug in.
[02:09.220 --> 02:12.000]  And later on in life became a developer
[02:12.000 --> 02:15.260]  and finally jumped into the security industry
[02:15.260 --> 02:16.660]  as a pen tester.
[02:16.720 --> 02:18.840]  So I've been doing this pretty much my whole life.
[02:18.840 --> 02:21.700]  It's really my mindset is that of,
[02:21.700 --> 02:24.940]  I love tearing things apart, figure out how they work.
[02:24.940 --> 02:27.940]  I like to break stuff and I like to make it work better.
[02:28.240 --> 02:31.680]  So that career of mine has led me to where I'm at right now,
[02:31.680 --> 02:34.820]  which is a security advocate for a company called Snyk.
[02:34.980 --> 02:38.520]  Just means basically that my job is to get out
[02:38.520 --> 02:41.280]  in the security community and talk about topics
[02:41.280 --> 02:43.900]  that are important to us in security
[02:43.900 --> 02:46.820]  and how that ties in organizationally
[02:46.820 --> 02:48.880]  like DevSecOps and things like that.
[02:48.880 --> 02:53.060]  But part of my career journey has really centered
[02:53.060 --> 02:55.660]  on the fact that I've been a security leader.
[02:55.660 --> 02:57.860]  In other words, a manager, a hiring manager
[02:58.360 --> 03:02.200]  for 12 of the 15 years that I've been in security.
[03:02.260 --> 03:03.840]  It didn't take long after I took over
[03:03.840 --> 03:05.440]  that first penetration testing role
[03:05.440 --> 03:07.080]  that was leading that whole team
[03:07.080 --> 03:09.080]  and the vulnerability management program
[03:09.080 --> 03:11.540]  for a huge, huge organization.
[03:11.920 --> 03:15.720]  And so this is a space that I've worked in a lot.
[03:15.720 --> 03:18.560]  I have built a number of different consulting teams
[03:18.560 --> 03:22.020]  from the ground up where there was nothing that existed
[03:22.020 --> 03:26.880]  or a very skeleton crew and it needed to be grown quickly.
[03:26.880 --> 03:28.340]  And I've had a lot of success with that,
[03:28.340 --> 03:31.400]  but it's enabled me to see a lot of the struggles
[03:31.400 --> 03:37.340]  that people deal with from a job search perspective.
[03:37.380 --> 03:40.000]  And indeed, it's given me the perspective too
[03:40.000 --> 03:42.660]  of what are hiring managers looking for?
[03:42.660 --> 03:46.180]  A lot of times hiring managers have their own frustrations.
[03:46.180 --> 03:48.720]  I've had to work with recruiters and headhunters
[03:49.260 --> 03:52.000]  and job search systems and so forth.
[03:52.000 --> 03:53.300]  And so I'm excited to talk about all of that.
[03:53.300 --> 03:55.680]  And then finally, about me,
[03:55.680 --> 03:58.100]  I'm also the co-host of a podcast
[03:58.100 --> 03:59.640]  called The Uncommon Journey.
[03:59.640 --> 04:02.040]  And I bring this up because it's on this podcast
[04:02.040 --> 04:04.340]  that we focus on something that's really important
[04:04.340 --> 04:06.140]  to understand in cybersecurity.
[04:06.360 --> 04:10.440]  And that is that every one of us has a very unique
[04:10.440 --> 04:13.560]  and very different story about how we got here.
[04:13.560 --> 04:17.400]  I always tell the story, I started off as a pre-med major.
[04:17.700 --> 04:21.100]  I know other people in this industry who were wrestlers.
[04:21.100 --> 04:25.940]  I know people who worked in sanitation.
[04:25.940 --> 04:28.940]  I know people who were actors and did drama.
[04:29.080 --> 04:32.280]  And all of these people somehow ended up in the same place
[04:32.280 --> 04:36.000]  because they had an interest and a passion for security.
[04:36.180 --> 04:38.420]  So it's a great podcast, check it out,
[04:38.420 --> 04:40.420]  but more importantly, understand that concept
[04:40.420 --> 04:43.020]  that no matter where you're coming from,
[04:43.020 --> 04:44.760]  there's a place for you here.
[04:45.600 --> 04:48.460]  So I wanna start off a little bit of a story.
[04:48.980 --> 04:51.480]  And the story goes back to the title of this talk
[04:51.480 --> 04:54.200]  being about from a barista to a security pro.
[04:54.320 --> 04:57.680]  So some time ago, I was having a conversation
[04:57.680 --> 05:02.100]  with one of my colleagues and he was lamenting the fact
[05:02.100 --> 05:04.860]  that he was hiring for some positions
[05:04.860 --> 05:09.640]  and he was having trouble getting qualified candidates.
[05:09.640 --> 05:13.760]  And these were entry-level positions in the SOC.
[05:13.760 --> 05:15.480]  So he was in the security operations center.
[05:15.880 --> 05:19.760]  And along this conversation at one point,
[05:19.760 --> 05:22.080]  he brought up the fact that he had somebody
[05:22.080 --> 05:25.120]  who was a seven-year barista,
[05:25.120 --> 05:27.940]  had been working for Starbucks for the last seven years.
[05:28.180 --> 05:30.140]  And he was frustrated,
[05:30.140 --> 05:33.600]  didn't think that they had any place applying
[05:33.600 --> 05:35.180]  for a cybersecurity role
[05:35.180 --> 05:37.160]  because they hadn't worked in tech before.
[05:37.160 --> 05:38.520]  And so I started to question him about that.
[05:38.520 --> 05:41.780]  And I asked, okay, well, what qualifications do they have?
[05:41.780 --> 05:43.160]  Well, they had gone and they had gotten
[05:43.280 --> 05:44.400]  a computer science degree
[05:44.880 --> 05:49.080]  and they had achieved their security plus certification.
[05:49.080 --> 05:51.320]  I think he might've mentioned they were also working
[05:51.320 --> 05:53.720]  on a CEH or something like that.
[05:53.980 --> 05:56.520]  And so I started to ask him, I said,
[05:57.360 --> 06:01.360]  did you think about what it is that a barista does
[06:01.940 --> 06:04.400]  on a daily basis and how some of those skills
[06:04.400 --> 06:08.740]  might be really valuable to you in a SOC environment?
[06:09.360 --> 06:10.420]  And I started to go through them.
[06:10.420 --> 06:11.920]  And we're gonna talk about that more
[06:12.080 --> 06:14.620]  a little bit down the ways in this talk today.
[06:15.320 --> 06:17.720]  But I really started to, we dug into this.
[06:17.720 --> 06:19.320]  And by the end of it, he started to realize
[06:19.320 --> 06:20.360]  that, you know what?
[06:20.360 --> 06:24.960]  This barista might actually have some really good skills
[06:24.960 --> 06:28.940]  and might be the kind of person that they can build.
[06:29.260 --> 06:33.700]  So the point of this being, there's always that path in,
[06:33.700 --> 06:35.620]  sometimes it's not so obvious.
[06:35.620 --> 06:38.700]  And since hiring managers, recruiters,
[06:38.700 --> 06:41.740]  job search systems may not always see those connections.
[06:41.740 --> 06:46.400]  It's up to us as job seekers to help people see
[06:46.400 --> 06:48.600]  what those connections are and justify why it is
[06:48.600 --> 06:52.180]  that we're coming to this industry to start a career
[06:52.540 --> 06:56.520]  and why it is that you want us to be your next hire.
[06:56.520 --> 06:58.720]  So we're gonna talk all about that.
[06:58.720 --> 07:01.260]  But first, let's just start off with the state
[07:01.260 --> 07:03.180]  of where the industry is today.
[07:03.180 --> 07:05.660]  If you're looking to get into cybersecurity,
[07:05.660 --> 07:10.580]  chances are you've once or twice before heard this mantra
[07:10.580 --> 07:13.920]  that there's a talent shortage in security.
[07:13.920 --> 07:16.760]  There are studies, there are surveys,
[07:16.760 --> 07:19.600]  there are articles galore that speak to this
[07:19.600 --> 07:21.720]  every single day.
[07:21.720 --> 07:25.520]  If you go through any news sites related to cybersecurity
[07:25.520 --> 07:28.980]  or related to tech, chances are somewhere over the past year
[07:28.980 --> 07:30.680]  you're gonna find that they had some article
[07:30.680 --> 07:32.580]  that talked about the challenges
[07:32.580 --> 07:35.320]  of this so-called talent shortage
[07:35.320 --> 07:37.600]  that exists in cybersecurity.
[07:38.560 --> 07:40.700]  Now you see some things up here, for instance,
[07:40.700 --> 07:44.100]  the great cybersecurity talent shortage continues.
[07:44.100 --> 07:46.680]  And it's blown up really big,
[07:46.680 --> 07:49.180]  but the question always comes back to me.
[07:49.180 --> 07:52.320]  I start to wonder, I hear from a lot of people
[07:52.320 --> 07:54.880]  who are trying to find roles in cybersecurity
[07:54.880 --> 07:57.060]  and are unable to find them.
[07:57.960 --> 08:00.400]  And I hear from people who are experienced
[08:00.400 --> 08:04.580]  and who are trying to find new jobs and are having trouble.
[08:04.880 --> 08:07.920]  So you're telling me there's a talent shortage
[08:07.920 --> 08:09.660]  yet I'm hearing from all these people
[08:09.660 --> 08:13.200]  who are having trouble finding jobs.
[08:13.260 --> 08:15.940]  So what's the reality?
[08:16.140 --> 08:17.820]  And that's something that was,
[08:17.820 --> 08:21.680]  I really wanted to start to try to find some answers to.
[08:21.680 --> 08:25.420]  So at the very beginning of this year,
[08:26.220 --> 08:28.600]  I made the decision to do some research.
[08:28.600 --> 08:31.080]  And it's related to a book that I'm also writing.
[08:31.080 --> 08:32.460]  In fact, a lot of the stuff you're going to see
[08:32.460 --> 08:34.400]  in this talk today comes from this book
[08:34.400 --> 08:36.140]  that I'm currently working on.
[08:36.140 --> 08:39.960]  But one of the things I did was I launched a pair of surveys.
[08:40.200 --> 08:42.080]  One survey was targeted at people
[08:42.080 --> 08:44.260]  who had never worked in cybersecurity before
[08:44.260 --> 08:47.140]  and wanted to get that first job in security.
[08:47.240 --> 08:50.340]  The other survey was targeted at people
[08:50.340 --> 08:52.120]  who are working in security
[08:52.120 --> 08:54.480]  and already have some experience.
[08:55.180 --> 08:58.160]  I got over 1500 responses.
[08:58.160 --> 08:59.960]  So it was a very successful survey.
[09:00.760 --> 09:03.200]  But one of the questions I asked people,
[09:03.200 --> 09:04.740]  because I wanted to really understand
[09:04.740 --> 09:06.660]  this talent shortage in particular,
[09:06.660 --> 09:09.060]  I simply asked those entry-level folks,
[09:09.060 --> 09:12.440]  people who had never had a job in security before,
[09:12.440 --> 09:14.080]  if you're searching for a job,
[09:14.080 --> 09:15.520]  how long have you been searching?
[09:16.080 --> 09:17.360]  Simple question.
[09:17.920 --> 09:22.160]  And the results are what surprised me.
[09:22.940 --> 09:24.880]  We're talking about a talent shortage
[09:24.880 --> 09:27.940]  where employers are desperate to find people
[09:27.940 --> 09:30.160]  to fill these jobs they have open.
[09:30.160 --> 09:32.160]  Yet as we look at these numbers,
[09:32.160 --> 09:35.660]  I can see close to three quarters of these people
[09:36.180 --> 09:38.880]  have been searching for three months or longer
[09:38.880 --> 09:40.600]  to find a job.
[09:42.220 --> 09:44.780]  Over 32% of them have been searching
[09:44.780 --> 09:46.920]  for seven months or more.
[09:47.220 --> 09:49.740]  That's a long time to be out on the job market
[09:49.740 --> 09:52.020]  when you're looking for that first job.
[09:52.020 --> 09:54.900]  So if we have such a talent shortage,
[09:55.760 --> 09:58.160]  how come all these people are having
[09:58.160 --> 10:00.540]  such a hard time finding jobs?
[10:00.540 --> 10:03.160]  This is something I really wanna get to the bottom of.
[10:03.300 --> 10:05.020]  So you might look at this and you might say,
[10:05.020 --> 10:08.080]  well, yeah, that's probably because they're entry-level
[10:08.080 --> 10:10.760]  and they don't have any experience.
[10:11.140 --> 10:13.380]  And a lot of these jobs in security,
[10:13.380 --> 10:15.980]  well, they're looking for experienced people.
[10:15.980 --> 10:17.320]  And you're not wrong about that.
[10:17.320 --> 10:19.000]  You wouldn't be wrong to think that.
[10:19.000 --> 10:22.060]  And in fact, when I asked the same exact question
[10:22.060 --> 10:25.920]  of experienced people who said they were already looking,
[10:25.920 --> 10:28.400]  said they were currently looking for a job,
[10:28.840 --> 10:30.820]  the numbers changed a little bit,
[10:30.820 --> 10:33.300]  but they still didn't change a lot.
[10:33.300 --> 10:38.900]  We see, yeah, it went up to 46% that are less than two months
[10:38.900 --> 10:40.880]  in the job market, and that's pretty good.
[10:41.100 --> 10:42.760]  And that's what we'd expect to see.
[10:42.760 --> 10:45.840]  People with experience, there's high demand,
[10:45.840 --> 10:47.500]  they're finding jobs quickly.
[10:48.180 --> 10:52.160]  But what about the other 54% or 53 and a half percent?
[10:52.540 --> 10:54.780]  They're still taking three months or longer
[10:54.780 --> 10:56.820]  to find a new job.
[10:57.440 --> 10:59.280]  That's a long time.
[10:59.440 --> 11:02.900]  In almost a quarter of them, it's taking over seven months.
[11:04.140 --> 11:06.380]  So we see the same issues here,
[11:06.380 --> 11:08.960]  whether you're entry-level or whether you're experienced.
[11:09.460 --> 11:12.200]  So if there's this talent shortage,
[11:12.200 --> 11:14.380]  we have this high demand, 4 million jobs
[11:14.380 --> 11:17.260]  is one of the quotes you'll see mentioned recently.
[11:17.260 --> 11:20.700]  Over 4 million jobs are gonna be left unfilled this year.
[11:20.700 --> 11:22.880]  Of course, some of those numbers came up before COVID,
[11:22.880 --> 11:24.160]  so we'll see how that adjusts
[11:24.160 --> 11:26.540]  as people have adjusted their hiring practices.
[11:26.700 --> 11:30.320]  But that's a significant number to say
[11:30.320 --> 11:32.640]  that we've got these 4 million positions,
[11:32.640 --> 11:35.060]  but these experienced people can sit in the job market
[11:35.060 --> 11:36.560]  for seven months or more.
[11:37.600 --> 11:40.940]  So, all right, is it a problem maybe with the applicants?
[11:41.720 --> 11:43.980]  So in that same survey,
[11:43.980 --> 11:46.420]  I asked the people who were hiring managers,
[11:46.420 --> 11:48.080]  I asked them, hey, are you trying to hire
[11:48.080 --> 11:50.180]  for a cybersecurity position?
[11:50.380 --> 11:53.400]  And there were a good number of them that came back
[11:53.400 --> 11:54.520]  and said, yes, indeed,
[11:54.520 --> 11:58.700]  they were trying to hire for cybersecurity as well.
[11:58.700 --> 12:00.820]  And so I asked them, all right,
[12:00.820 --> 12:04.400]  well, what's the biggest challenge that you're encountering
[12:04.400 --> 12:07.180]  when hiring cybersecurity candidates?
[12:08.180 --> 12:11.660]  The number one was unqualified applicants.
[12:12.120 --> 12:14.100]  And this gets me thinking.
[12:14.760 --> 12:17.000]  That works maybe when we're talking about
[12:17.000 --> 12:18.120]  entry level people,
[12:18.120 --> 12:21.280]  but we're seeing all of these people with experience,
[12:21.280 --> 12:25.000]  with degrees, with certifications, everything else.
[12:25.420 --> 12:28.840]  How are we finding so many that are unqualified
[12:28.840 --> 12:31.340]  for the positions they're applying for?
[12:31.920 --> 12:34.520]  The second one is kind of telling.
[12:35.040 --> 12:37.480]  And this is where we're gonna start to dive in more.
[12:38.400 --> 12:40.160]  The second most common answer
[12:40.160 --> 12:42.720]  was struggles with job descriptions.
[12:43.280 --> 12:47.140]  Hiring managers, recruiters,
[12:47.800 --> 12:51.240]  they work together to put together these job descriptions,
[12:51.650 --> 12:53.800]  but it's not an easy job.
[12:54.480 --> 12:57.360]  And indeed, figuring out a way
[12:57.360 --> 12:58.900]  that we can word a job description
[12:58.900 --> 13:01.800]  that accurately captures the things
[13:01.800 --> 13:04.560]  that are important to us as a hiring manager,
[13:05.180 --> 13:08.200]  also are compliant with all the employment laws
[13:08.200 --> 13:10.700]  and everything else that we have to worry about.
[13:10.760 --> 13:12.540]  This is actually a lot of heavy lifting.
[13:12.540 --> 13:14.460]  And it's not easy to do.
[13:15.040 --> 13:17.640]  And so it's not really a surprise to me
[13:17.640 --> 13:19.300]  that I see this up there.
[13:19.700 --> 13:22.200]  Then we see lack of applicants as number three.
[13:22.200 --> 13:24.100]  And now I'm scratching my head again.
[13:25.700 --> 13:29.160]  Because how are we running into so many people
[13:29.160 --> 13:30.580]  who say they're in the job market
[13:31.280 --> 13:33.300]  for this extended period of time,
[13:33.300 --> 13:35.060]  but you're telling me you have a lack of applicants
[13:35.060 --> 13:36.280]  to your role?
[13:36.880 --> 13:38.380]  Well, how's that happening?
[13:38.580 --> 13:39.940]  So we're gonna explore those
[13:39.940 --> 13:42.340]  because I think those latter two in particular,
[13:42.340 --> 13:44.760]  job descriptions and the lack of applicants,
[13:44.760 --> 13:47.800]  they're actually really tightly related.
[13:48.220 --> 13:52.060]  So let's look at job descriptions for a minute.
[13:52.060 --> 13:53.580]  Because what I'm gonna tell you
[13:53.580 --> 13:57.020]  is that one of the core problems,
[13:57.020 --> 13:58.860]  when I look at why we're struggling
[13:58.860 --> 14:01.300]  to fill roles in cybersecurity,
[14:01.300 --> 14:05.380]  it comes down to that job description.
[14:06.940 --> 14:09.460]  So as a new security person,
[14:09.460 --> 14:11.800]  looking to start that career in cybersecurity,
[14:11.800 --> 14:12.840]  you might be thinking,
[14:12.840 --> 14:14.880]  hey, I wanna start my job as an intern.
[14:15.080 --> 14:16.800]  I wanna look for an intern role,
[14:16.800 --> 14:18.100]  especially if you're coming out of college
[14:18.100 --> 14:19.780]  or maybe you're wrapping up your degree
[14:19.780 --> 14:23.000]  and you're thinking in terms of intern positions.
[14:23.480 --> 14:25.700]  Now, if any of you follow me on Twitter,
[14:25.700 --> 14:28.120]  you've seen me throw out from time to time
[14:28.120 --> 14:31.220]  examples of bad job descriptions.
[14:31.440 --> 14:32.720]  Well, here's the job description
[14:32.720 --> 14:35.680]  from this information security intern position
[14:35.680 --> 14:37.800]  that was posted just a few weeks ago.
[14:38.090 --> 14:39.520]  Right off the top,
[14:39.700 --> 14:42.600]  a bachelor's degree in information technology
[14:42.600 --> 14:44.190]  or a technical discipline.
[14:45.060 --> 14:46.340]  So this is an internship
[14:46.340 --> 14:50.480]  they immediately want you to have your...
[14:50.480 --> 14:53.200]  They want you to have a degree already.
[14:53.200 --> 14:57.280]  So there's no flexibility here to say,
[14:57.280 --> 15:00.920]  have other experience that maybe plays in instead
[15:01.600 --> 15:05.030]  and can replace that particular role.
[15:06.490 --> 15:08.950]  The next one is what really trips me out.
[15:08.950 --> 15:11.070]  And this is something you're gonna see is really common.
[15:11.910 --> 15:14.910]  Certified in one or more of the following.
[15:15.130 --> 15:16.590]  You're talking about an intern
[15:16.590 --> 15:19.550]  and yet they're expecting them to have a certification.
[15:20.690 --> 15:22.970]  And if you look, you see CISSP is the first one.
[15:22.970 --> 15:24.870]  Anyone who knows anything about the CISSP knows
[15:24.870 --> 15:30.090]  that there's a minimum number of years of job experience
[15:30.090 --> 15:32.170]  that you have to have to get a CISSP.
[15:32.170 --> 15:35.550]  So how can any organization expect an intern
[15:36.490 --> 15:38.690]  to have a CISSP?
[15:38.690 --> 15:40.590]  This is simply not realistic.
[15:40.850 --> 15:42.690]  And then the last circle there.
[15:42.690 --> 15:45.450]  This is the one that set me off
[15:45.450 --> 15:48.150]  and resulted in a really long Twitter thread
[15:48.150 --> 15:51.310]  that ended up really kind of blowing up on Twitter
[15:51.310 --> 15:52.770]  for a few days.
[15:52.890 --> 15:56.110]  Minimum of seven years experience
[15:56.110 --> 15:59.430]  working in information technology security.
[16:00.990 --> 16:02.810]  We're talking about an intern.
[16:03.570 --> 16:05.010]  An intern role.
[16:05.330 --> 16:07.130]  These are the ones that you use to bring people
[16:07.130 --> 16:08.730]  out of college and into the workforce.
[16:08.730 --> 16:11.970]  And they want you to have seven years of experience.
[16:11.970 --> 16:15.010]  This is the landscape y'all are trying to conquer.
[16:15.070 --> 16:19.190]  So if you think you've got some key obstacles in your way,
[16:19.190 --> 16:20.470]  clearly you do.
[16:21.290 --> 16:22.870]  But it gets worse.
[16:23.930 --> 16:25.090]  Now here's one for,
[16:25.090 --> 16:27.510]  remember I talked about these experienced people.
[16:27.510 --> 16:30.290]  Here's one for an information security architect.
[16:30.490 --> 16:34.110]  And yes, I've protected the guilty here.
[16:34.110 --> 16:36.790]  I'm not gonna name and shame who this is.
[16:37.050 --> 16:39.190]  But take a look at this job description.
[16:39.190 --> 16:40.650]  So they start off with all the usual stuff
[16:40.650 --> 16:42.310]  talking about their company and their great culture
[16:42.310 --> 16:43.530]  and how wonderful they are.
[16:43.530 --> 16:45.430]  And then they start to describe the role.
[16:45.430 --> 16:47.890]  And you can see here's three bullet points.
[16:47.890 --> 16:49.210]  Okay, that's great.
[16:49.490 --> 16:51.010]  But it doesn't end there.
[16:51.870 --> 16:52.970]  This continues.
[16:52.970 --> 16:54.470]  This is the job role.
[16:54.470 --> 16:55.350]  This is what they're telling you
[16:55.350 --> 16:56.810]  and you're gonna do day to day.
[16:56.810 --> 16:57.970]  Now I've cut it off here.
[16:57.970 --> 17:00.930]  There's actually four more bullets that follow this yet.
[17:01.210 --> 17:02.750]  Who is this magic unicorn
[17:02.750 --> 17:06.210]  who's gonna fill all of these responsibilities?
[17:07.090 --> 17:07.990]  And if you look at them,
[17:07.990 --> 17:08.830]  I know they're hard to read
[17:08.830 --> 17:10.430]  because it's really, really, really small
[17:10.430 --> 17:12.310]  because it was the only way I could fit it on the screen.
[17:12.310 --> 17:13.370]  They're talking about everything
[17:13.370 --> 17:16.030]  from configuring ISPs and WAFs
[17:16.030 --> 17:18.830]  to working in DevSecOps.
[17:18.870 --> 17:21.330]  This like runs the gamut of everything
[17:21.330 --> 17:22.610]  that's in cybersecurity.
[17:22.990 --> 17:24.710]  But it doesn't end there.
[17:25.570 --> 17:29.310]  Let's go and look at their requirements for this job.
[17:29.510 --> 17:31.150]  So that's all of what you were gonna be doing
[17:31.150 --> 17:32.330]  if you get the job.
[17:32.330 --> 17:34.950]  Here's what they expect you to have.
[17:34.950 --> 17:38.450]  And these aren't preferred qualifications.
[17:38.450 --> 17:40.630]  These are listed as requirements.
[17:40.970 --> 17:45.170]  Required that you have every single bullet here.
[17:46.850 --> 17:49.870]  You wonder why this job didn't get filled.
[17:51.110 --> 17:52.750]  It's no surprise.
[17:52.750 --> 17:55.430]  So we're gonna dive into this deeper.
[17:55.430 --> 17:56.650]  But before we do,
[17:56.650 --> 17:59.770]  I also wanna share one more element of that survey.
[18:00.050 --> 18:04.930]  The last element of that survey was I asked job seekers,
[18:04.930 --> 18:05.990]  experienced job seekers,
[18:05.990 --> 18:07.010]  because I wanted to know people
[18:07.010 --> 18:08.950]  who've been around the block a couple of times.
[18:08.950 --> 18:13.050]  What do you see as your biggest struggle?
[18:13.310 --> 18:16.230]  And no surprise in light of everything we just saw,
[18:16.230 --> 18:19.490]  they come back and they say predominantly
[18:19.490 --> 18:21.390]  it's bad job descriptions.
[18:21.390 --> 18:24.010]  So when you have bad job descriptions like this
[18:24.570 --> 18:27.350]  that float throughout the industry,
[18:28.150 --> 18:30.870]  how can you expect people to even wanna apply?
[18:30.870 --> 18:32.390]  And indeed, this is what happens.
[18:32.390 --> 18:33.910]  You have these job descriptions.
[18:33.910 --> 18:36.450]  Sure, some people may apply and they might be underqualified
[18:36.450 --> 18:37.910]  because they can't even figure out
[18:37.910 --> 18:40.030]  what this company is really looking for.
[18:40.030 --> 18:41.550]  On the other side of it,
[18:41.550 --> 18:44.150]  you've got people who then just don't apply.
[18:44.510 --> 18:47.430]  So that percentage that said
[18:47.430 --> 18:50.810]  that they're having trouble finding job applicants,
[18:50.810 --> 18:53.150]  well, yeah, no kidding.
[18:53.170 --> 18:55.370]  Because when you have bad job descriptions,
[18:55.370 --> 18:56.650]  people don't apply.
[18:58.350 --> 19:00.330]  So enough of talking about the problems.
[19:00.330 --> 19:01.570]  I didn't come here today
[19:01.570 --> 19:03.810]  to tell you about how bad things are.
[19:03.810 --> 19:04.450]  We know that.
[19:04.450 --> 19:05.950]  You know that if you're looking for a job.
[19:05.950 --> 19:07.630]  You know it's a struggle.
[19:08.130 --> 19:09.430]  So let's talk about how we start
[19:09.430 --> 19:11.290]  to overcome some of these problems.
[19:11.310 --> 19:12.830]  And let's start by just looking
[19:12.830 --> 19:14.990]  at the typical hiring process.
[19:14.990 --> 19:16.890]  Because especially for some of you coming in
[19:16.890 --> 19:18.990]  as first-time job seekers,
[19:18.990 --> 19:21.070]  this might not just be your first time security job.
[19:21.070 --> 19:23.010]  This might be your first time really looking
[19:23.010 --> 19:26.430]  for a corporate level professional job overall.
[19:26.430 --> 19:28.490]  So let's just talk about this for a minute.
[19:28.490 --> 19:30.710]  The way it works in most organizations
[19:30.710 --> 19:33.750]  is really similar to what you see on this image here
[19:33.750 --> 19:35.050]  that I pulled from Jobscan.
[19:35.050 --> 19:37.790]  Now Jobscan is a company that produces
[19:37.790 --> 19:41.250]  one of what we call these application tracking systems
[19:41.250 --> 19:43.930]  or applicant tracking systems or ATS.
[19:44.050 --> 19:46.870]  So that's that automated system
[19:46.870 --> 19:48.350]  that collects all your information
[19:48.350 --> 19:49.830]  when you apply for a job.
[19:49.830 --> 19:52.770]  So usually what happens is they'll go in,
[19:52.770 --> 19:54.750]  they will create a job in that system.
[19:54.750 --> 19:56.310]  Now there's usually some stuff with approvals
[19:56.310 --> 19:57.710]  and things that happen before that,
[19:57.710 --> 19:58.990]  but a recruiter from the company
[19:58.990 --> 20:00.970]  is gonna go in and create this job.
[20:01.070 --> 20:03.190]  And they're going to attach to it a job description
[20:03.190 --> 20:05.550]  that the recruiter has likely worked
[20:05.550 --> 20:06.830]  with the hiring manager on.
[20:06.830 --> 20:08.890]  They probably have some standard job descriptions
[20:08.890 --> 20:11.870]  already laid out and they might work
[20:11.870 --> 20:13.890]  with the hiring manager to make sure that that's accurate
[20:13.890 --> 20:15.390]  for what they're trying to hire for.
[20:15.390 --> 20:17.690]  And then of course they publish it to the world.
[20:17.690 --> 20:18.990]  They put it out on LinkedIn.
[20:18.990 --> 20:20.350]  They put it out on job sites.
[20:20.350 --> 20:23.770]  They put it on their own job career board on their website.
[20:23.850 --> 20:27.050]  And they hopefully start getting applicants.
[20:28.230 --> 20:29.950]  Then they start screening.
[20:30.450 --> 20:32.350]  And they start screening each of these applicants
[20:32.350 --> 20:33.990]  and over stages they eliminate them.
[20:33.990 --> 20:35.770]  And then finally you get to the point
[20:35.770 --> 20:38.290]  where they select some and they interview them.
[20:38.290 --> 20:40.330]  And then hopefully they find the one they wanna hire
[20:40.330 --> 20:41.490]  and they hire them.
[20:41.930 --> 20:44.890]  What I wanna focus on here is this lower left
[20:44.890 --> 20:48.110]  where we see the applicant screening process.
[20:48.110 --> 20:50.810]  Because when I talk about how people fail
[20:50.810 --> 20:53.190]  to get into a cybersecurity job
[20:53.190 --> 20:58.090]  and how jobs fail to get filled from the hiring side,
[20:58.090 --> 21:01.190]  this is where the things fall apart.
[21:01.390 --> 21:03.310]  More than anything else,
[21:03.310 --> 21:06.750]  it's when we get into that screening process.
[21:06.870 --> 21:08.690]  So let's talk a little bit more about that process
[21:08.690 --> 21:09.850]  for a minute and what that looks like.
[21:09.850 --> 21:11.510]  In organizations where they're using
[21:11.510 --> 21:13.270]  an applicant tracking system,
[21:13.270 --> 21:16.930]  that is your first layer of filter.
[21:16.990 --> 21:19.450]  A lot of these systems have built in rules
[21:19.450 --> 21:21.170]  that immediately look at your resume
[21:21.170 --> 21:25.390]  and are going to identify very objective,
[21:25.390 --> 21:27.010]  tangible things that they can identify.
[21:27.010 --> 21:29.730]  And a lot of times there are algorithms built in there
[21:29.730 --> 21:31.050]  that will immediately,
[21:31.050 --> 21:34.570]  they may not actually delete you from consideration,
[21:34.570 --> 21:35.970]  but they rank you.
[21:35.970 --> 21:38.090]  They provide scoring that now the recruiters
[21:38.090 --> 21:40.230]  and the hiring manager are gonna look at to say,
[21:40.230 --> 21:41.850]  hey, let's prioritize these
[21:41.850 --> 21:43.990]  and look at who is most qualified.
[21:44.210 --> 21:45.510]  So it's important that we understand
[21:45.510 --> 21:49.030]  that that system is a crucial aspect
[21:49.030 --> 21:52.630]  in how we get considered for a job when we apply.
[21:53.030 --> 21:55.970]  Now it goes from there and typically a recruiter
[21:55.970 --> 21:59.330]  or someone in human resources is gonna look at that next.
[21:59.410 --> 22:01.070]  They're gonna get the ones that are receiving that
[22:01.070 --> 22:03.230]  and it's their job to screen further.
[22:03.230 --> 22:04.510]  So they're gonna look at your resume
[22:04.510 --> 22:06.070]  and your qualifications.
[22:06.070 --> 22:10.530]  And if you meet at least some of them,
[22:10.530 --> 22:12.610]  they're probably gonna get in touch with you
[22:12.610 --> 22:14.930]  because their job is to get in touch,
[22:14.930 --> 22:16.350]  talk to you and screen you and make sure
[22:16.350 --> 22:17.670]  that you do meet some of the,
[22:17.670 --> 22:20.010]  just the bare qualifications for that job.
[22:20.010 --> 22:20.810]  They're gonna make sure
[22:20.810 --> 22:25.890]  that some of the legal aspects of it are considered.
[22:25.890 --> 22:28.210]  So if you need to be, for instance, here in the US,
[22:28.210 --> 22:31.430]  if it's requires that you're able to legally work in the US,
[22:31.430 --> 22:32.690]  they're gonna make sure that you have
[22:32.690 --> 22:35.490]  whatever those legal qualifications are.
[22:35.870 --> 22:39.470]  They're gonna talk to you about some of the base skill sets
[22:39.470 --> 22:40.850]  and things that they're looking for,
[22:40.850 --> 22:43.850]  maybe ask you a little bit about your experience,
[22:44.910 --> 22:46.450]  but that's their job.
[22:46.450 --> 22:47.230]  And what they're trying to do
[22:47.230 --> 22:48.950]  is they're trying to filter out those applications
[22:48.950 --> 22:53.830]  before they ultimately submit them to the hiring manager.
[22:53.830 --> 22:56.010]  So the hiring manager and potentially their team
[22:56.010 --> 22:58.450]  and maybe some other managers and whatnot
[22:58.450 --> 23:01.330]  will be involved in the last steps
[23:01.330 --> 23:03.550]  of that screening process.
[23:03.550 --> 23:05.810]  So they're the ones that are ultimately involved
[23:05.810 --> 23:07.250]  in some of the interviews,
[23:07.250 --> 23:09.550]  and they're gonna make that final decision
[23:09.550 --> 23:10.930]  on who comes in for an interview,
[23:10.930 --> 23:13.850]  and of course, who they ultimately end up hiring.
[23:15.310 --> 23:18.070]  So understanding this process is important
[23:18.070 --> 23:22.850]  because more often than not, applicants do apply for jobs.
[23:22.850 --> 23:24.710]  I know people who have told me
[23:24.710 --> 23:28.150]  they've applied for 30, 40, 50 jobs
[23:28.820 --> 23:31.770]  because they're not hearing back,
[23:31.770 --> 23:32.690]  they're not making it through.
[23:32.690 --> 23:33.510]  And I start to question,
[23:33.510 --> 23:34.730]  well, if you're applying to that many jobs,
[23:34.730 --> 23:37.530]  how are you not getting calls back from any of them?
[23:37.530 --> 23:38.990]  That seems surprising.
[23:39.630 --> 23:42.990]  And indeed, when you're entering this world
[23:42.990 --> 23:46.210]  of searching for a cybersecurity job in particular,
[23:46.210 --> 23:47.970]  you're on the road to frustration.
[23:48.610 --> 23:50.130]  For those of you coming out of school,
[23:50.130 --> 23:51.770]  you may have had schools that told you,
[23:51.770 --> 23:53.330]  hey, just get that cybersecurity degree
[23:53.330 --> 23:54.610]  and you're gonna be all set.
[23:54.610 --> 23:57.250]  Or maybe you went and you got that certification
[23:57.250 --> 23:59.710]  and boy, they promise all these great things.
[23:59.710 --> 24:02.210]  Hey, if you just get this certification,
[24:02.570 --> 24:03.770]  everybody's gonna wanna hire you
[24:03.770 --> 24:08.190]  because 35, 40, 50% of people working in security
[24:08.190 --> 24:09.410]  have this certification.
[24:09.410 --> 24:11.610]  So if you get it, you can get a job there too, right?
[24:11.610 --> 24:13.190]  And then you go and you hit the job mark
[24:13.190 --> 24:14.390]  and it doesn't happen.
[24:14.770 --> 24:17.030]  So let's talk about how we're gonna get beyond that.
[24:17.030 --> 24:19.470]  How do we hack that system
[24:20.210 --> 24:22.990]  and make sure that you can get your next job?
[24:24.230 --> 24:27.610]  I'm gonna tell you, it starts with you.
[24:27.730 --> 24:29.210]  You are the first step
[24:29.210 --> 24:32.550]  and you need to understand yourself.
[24:32.610 --> 24:36.030]  Self-analysis is probably one of the most crucial aspects
[24:36.030 --> 24:38.710]  of getting a job in cybersecurity.
[24:39.210 --> 24:40.770]  I mentor a lot of people
[24:40.770 --> 24:43.010]  as they're searching for security jobs.
[24:43.290 --> 24:45.790]  And one of the first questions I'll ask them,
[24:45.790 --> 24:46.610]  someone will come to me,
[24:46.690 --> 24:47.570]  a lot of times they'll just ask,
[24:47.570 --> 24:48.810]  Kate, will you be my mentor?
[24:48.810 --> 24:51.930]  Which is a pretty vague request in general.
[24:52.250 --> 24:54.210]  And so I'll start to ask right away,
[24:54.210 --> 24:55.490]  hey, okay, what are your interests?
[24:55.490 --> 24:57.270]  What do you wanna do in security?
[24:57.730 --> 25:02.150]  And the answer that I dread, but I get quite often is,
[25:02.150 --> 25:02.930]  well, I just wanna work.
[25:02.930 --> 25:03.790]  I wanna learn everything.
[25:03.790 --> 25:05.150]  I wanna be in cybersecurity.
[25:05.610 --> 25:07.250]  Well, what do you wanna do in cybersecurity?
[25:07.250 --> 25:07.910]  Well, I don't know.
[25:07.910 --> 25:09.130]  I wanna learn it all.
[25:10.890 --> 25:13.310]  This image here is a wonderful image.
[25:13.310 --> 25:14.650]  I love this.
[25:15.150 --> 25:16.630]  Henry Jang put this together
[25:16.630 --> 25:19.090]  and he posted it in an article on LinkedIn.
[25:19.330 --> 25:21.590]  And I don't agree with all of how it's arranged.
[25:21.590 --> 25:24.530]  I would definitely change a lot of the aspects of it.
[25:24.710 --> 25:26.450]  But this gives you some idea
[25:26.450 --> 25:29.590]  of the amount of different opportunities,
[25:29.590 --> 25:32.730]  topic areas, skill sets, whatnot,
[25:32.730 --> 25:36.590]  that exist within this thing we call cybersecurity.
[25:37.350 --> 25:40.010]  So to say you wanna learn all of it,
[25:40.010 --> 25:43.170]  that's not a realistic expectation.
[25:43.170 --> 25:44.590]  To say to somebody, hey,
[25:44.590 --> 25:47.950]  I just wanna learn cybersecurity, that's super broad.
[25:48.130 --> 25:50.690]  How do you self-analyze and get to a point
[25:50.690 --> 25:52.530]  where you understand what it is in cybersecurity
[25:52.530 --> 25:54.350]  that interests you?
[25:54.650 --> 25:56.110]  Now, I've talked with people.
[25:56.110 --> 25:57.330]  Sometimes they're able to figure it out
[25:57.330 --> 25:58.570]  and we'll chat a little bit
[25:58.570 --> 26:00.270]  and when we get to the root of it,
[26:00.270 --> 26:02.750]  sometimes what I've encouraged people to do,
[26:02.750 --> 26:05.150]  go out, look at maybe five,
[26:05.150 --> 26:08.390]  10 security-related blogs and news sites.
[26:08.810 --> 26:11.650]  Grab the first five headlines off of each one of them
[26:11.650 --> 26:14.290]  and put them in a list and rank them.
[26:14.290 --> 26:16.110]  Rank them in order of which headline
[26:16.110 --> 26:18.450]  seems most interesting to you.
[26:18.830 --> 26:21.450]  Now take the top five of those headlines
[26:22.070 --> 26:24.290]  and look for what's common.
[26:24.290 --> 26:26.370]  What are the aspects about those headlines
[26:26.370 --> 26:27.890]  that actually excite you?
[26:27.890 --> 26:31.070]  Is it because they're doing some kind of investigation?
[26:31.070 --> 26:32.710]  They're doing maybe digital forensics
[26:32.710 --> 26:34.770]  and they're investigating
[26:34.770 --> 26:38.370]  and you really like that idea of trying to solve a mystery.
[26:38.370 --> 26:42.550]  Is it because they've launched some new defense mechanism
[26:42.550 --> 26:44.190]  and maybe that's where you really like
[26:44.190 --> 26:46.330]  to sink your teeth into?
[26:46.330 --> 26:48.550]  Is it maybe headlines about new vulnerabilities
[26:48.550 --> 26:49.770]  that were discovered?
[26:49.770 --> 26:51.310]  And so, hey, that's starting to tell you,
[26:51.310 --> 26:53.990]  I really like this idea of vulnerability research
[26:53.990 --> 26:56.810]  and I want to start getting into things like pen testing.
[26:56.930 --> 26:59.890]  This is a great way to simply narrow down your interest
[26:59.890 --> 27:03.050]  and actually understand what is it in security
[27:03.050 --> 27:04.590]  that you want to be doing?
[27:04.590 --> 27:07.890]  Because this is a huge field and it's growing every day.
[27:07.890 --> 27:12.090]  As the digital world becomes more and more our way of life,
[27:12.090 --> 27:14.130]  security fits into every piece of it.
[27:14.810 --> 27:15.930]  Next thing you need to do
[27:15.930 --> 27:18.690]  is you need to be out there building your network.
[27:19.330 --> 27:21.770]  So you know what you want to do.
[27:21.770 --> 27:25.970]  Start interacting with people in social media,
[27:25.970 --> 27:27.190]  if nowhere else.
[27:27.190 --> 27:29.370]  If you go to conferences, I know this year it's different
[27:29.370 --> 27:31.250]  because we don't have the interactivity
[27:31.250 --> 27:33.330]  of being able to walk through hallway con
[27:33.330 --> 27:35.210]  like we normally do when we're at DEF CON
[27:35.210 --> 27:37.250]  and everywhere else and meet new people.
[27:37.410 --> 27:38.570]  But meet them on Twitter.
[27:38.570 --> 27:39.910]  Honestly, it's easier to meet them
[27:39.910 --> 27:41.290]  in social media first anyway
[27:41.290 --> 27:43.430]  and then find them at conferences later.
[27:43.670 --> 27:47.410]  But the key mistake I see made
[27:49.190 --> 27:51.490]  is interact with them.
[27:52.050 --> 27:53.750]  Building a network isn't just going out
[27:53.750 --> 27:55.030]  and following a bunch of people
[27:55.030 --> 27:56.790]  and trying to get a bunch of people to follow you
[27:56.790 --> 27:59.070]  on all these different social media platforms.
[27:59.930 --> 28:01.330]  It's interacting with them.
[28:01.330 --> 28:03.090]  The wonderful thing, I love Twitter for this.
[28:03.090 --> 28:04.930]  And there's a reason why security lives
[28:04.930 --> 28:06.330]  so strongly in Twitter.
[28:06.610 --> 28:08.910]  You can interact with anybody,
[28:08.910 --> 28:10.330]  as long as they haven't blocked you at least,
[28:10.330 --> 28:11.590]  so don't make them angry.
[28:11.730 --> 28:13.150]  But you can go out there,
[28:13.150 --> 28:15.150]  you can find the biggest names in the industry,
[28:15.150 --> 28:16.450]  you can follow them.
[28:16.450 --> 28:18.710]  And as they post things, you can respond
[28:18.710 --> 28:20.770]  and you can have conversations with them.
[28:20.770 --> 28:22.650]  Not only do you have conversations with them,
[28:22.650 --> 28:24.750]  but you may have conversations with their other followers
[28:24.750 --> 28:26.470]  who've also responded.
[28:26.470 --> 28:28.990]  Get engaged in those active conversations,
[28:28.990 --> 28:31.650]  ask questions, offer your opinions,
[28:31.650 --> 28:35.270]  be respectful, build that community.
[28:35.270 --> 28:36.810]  That's how you get followers,
[28:36.810 --> 28:38.250]  that's how you make friends,
[28:38.250 --> 28:40.230]  that's how you'll start to discover
[28:40.230 --> 28:43.110]  not just learning opportunities,
[28:43.110 --> 28:45.650]  but you'll start to find job opportunities.
[28:46.010 --> 28:47.450]  Now, LinkedIn is really great
[28:47.450 --> 28:49.550]  if you're looking really to,
[28:49.550 --> 28:51.490]  on a more professional level, of course.
[28:51.650 --> 28:54.830]  Not as active from a security perspective,
[28:54.830 --> 28:56.570]  definitely more formalized,
[28:56.570 --> 28:57.950]  but a great place, again,
[28:57.950 --> 29:00.010]  to start connecting with people
[29:00.010 --> 29:01.730]  who work for certain organizations
[29:01.730 --> 29:03.510]  that you wanna work for.
[29:03.650 --> 29:06.890]  Find those people, do a search.
[29:07.190 --> 29:09.610]  LinkedIn actually has a pretty decent search capability.
[29:09.610 --> 29:11.670]  Go look for people who work at a job
[29:12.310 --> 29:14.870]  that, or work at a company, excuse me,
[29:14.870 --> 29:17.390]  that is one that you wanna work for,
[29:17.390 --> 29:18.190]  and then look for the people
[29:18.190 --> 29:20.130]  who are in those security roles.
[29:20.190 --> 29:22.630]  Yeah, it's not the greatest search in the world,
[29:22.630 --> 29:23.810]  it does take some learning,
[29:23.810 --> 29:24.810]  but when you learn how to use it,
[29:24.810 --> 29:27.150]  you can actually effectively find these people.
[29:27.590 --> 29:29.290]  Add them, add them as connections.
[29:29.290 --> 29:30.230]  A lot of people on LinkedIn
[29:30.230 --> 29:33.150]  are more than happy to add connections all the time.
[29:33.250 --> 29:35.030]  Unless there's something red flagged about you,
[29:35.030 --> 29:36.530]  I'm gonna add you if you add me.
[29:36.530 --> 29:38.290]  So, make those connections,
[29:38.290 --> 29:39.990]  and again, now you can start interacting
[29:39.990 --> 29:42.010]  with those people when they post stuff.
[29:42.010 --> 29:44.050]  They'll start to see what you're posting as well.
[29:44.050 --> 29:47.210]  So, post good topics, concepts, things.
[29:47.750 --> 29:49.210]  Be out there, be active,
[29:49.210 --> 29:51.030]  but this is what I mean about being interactive
[29:51.030 --> 29:52.450]  and building that network,
[29:52.450 --> 29:54.850]  because now as you start to engage with these people
[29:54.850 --> 29:56.530]  and you build relationships,
[29:56.530 --> 29:58.770]  those are people that can help you find opportunities
[29:58.770 --> 30:01.010]  and help you land those opportunities.
[30:02.090 --> 30:04.110]  But now let's talk about the hiring process.
[30:04.110 --> 30:06.230]  So, we've worked on you, we've got you ready,
[30:06.230 --> 30:07.770]  but now you're gonna go
[30:07.770 --> 30:08.930]  and you're gonna start putting your resume
[30:08.930 --> 30:10.230]  out there to the world.
[30:10.230 --> 30:12.410]  Let's talk about how you beat the ATS.
[30:13.050 --> 30:15.150]  Those applicant tracking systems,
[30:15.150 --> 30:16.630]  they're used to varying degrees,
[30:16.630 --> 30:18.030]  different recruiters use them differently,
[30:18.030 --> 30:19.710]  different companies use them differently.
[30:19.790 --> 30:23.290]  But there's a few things you need to remember with the ATS.
[30:23.290 --> 30:27.490]  Most importantly, remember, this is a machine, it's software.
[30:27.490 --> 30:30.450]  It might be AI based, it might use machine learning
[30:30.450 --> 30:33.390]  and all these buzzwords that the vendors talk about
[30:33.390 --> 30:34.610]  that their products do,
[30:34.610 --> 30:36.810]  but at the end of the day, you're talking to a machine.
[30:36.950 --> 30:38.450]  So, let's think about some of the things
[30:38.450 --> 30:39.670]  that are really important there.
[30:39.670 --> 30:42.390]  First and foremost, when it comes to your resume,
[30:42.390 --> 30:44.470]  simple formatting.
[30:44.570 --> 30:46.810]  And there's a lot of aspects here.
[30:47.170 --> 30:49.210]  Use common fonts.
[30:49.210 --> 30:51.130]  Believe it or not, this can be an issue.
[30:51.130 --> 30:52.950]  Don't use wild, crazy fonts.
[30:52.950 --> 30:53.970]  Use ones that are common.
[30:53.970 --> 30:56.330]  There's no one specific that you have to use,
[30:56.330 --> 30:57.570]  but use ones that are typical.
[30:57.570 --> 31:00.190]  Colibri, Times New Roman,
[31:00.930 --> 31:03.750]  the ones that you typically see in documentation,
[31:03.750 --> 31:05.870]  other things, things that are easy to read.
[31:05.870 --> 31:07.290]  These are the ones that those systems
[31:07.290 --> 31:11.050]  can most effectively process accurately.
[31:11.050 --> 31:14.050]  And that's important, but let's go beyond that.
[31:14.310 --> 31:18.150]  Just format your resume in a way that's easy to read.
[31:18.150 --> 31:20.310]  I know we like to have things that stand out,
[31:20.310 --> 31:21.750]  and it's okay to have a separate resume
[31:21.750 --> 31:23.230]  that you're gonna hand to people,
[31:23.230 --> 31:25.110]  but the one that you upload to the ATS
[31:25.110 --> 31:26.930]  needs to be simply formatted.
[31:26.930 --> 31:28.210]  Don't put pictures in there.
[31:28.210 --> 31:30.010]  Don't put designs in there.
[31:30.230 --> 31:31.630]  Lay it out, structured.
[31:31.630 --> 31:32.570]  Use bullet points,
[31:32.570 --> 31:35.510]  things that it will be able to easily process.
[31:36.710 --> 31:39.290]  The second thing, and this to me is so crucial.
[31:39.290 --> 31:41.750]  I cannot believe how often people miss on this.
[31:41.750 --> 31:42.870]  And this, I don't care if you're looking
[31:42.870 --> 31:45.330]  for a cybersecurity job or what kind of job,
[31:45.330 --> 31:46.670]  this is something you need to be aware of.
[31:46.670 --> 31:48.210]  If you're trying to get hired,
[31:48.210 --> 31:50.390]  you need to be tailoring your resume
[31:50.390 --> 31:52.550]  to that job that you're applying to.
[31:52.690 --> 31:54.990]  This means for every job that you apply to,
[31:54.990 --> 31:56.490]  you should have a separate file.
[31:56.810 --> 31:59.130]  And literally, if I showed you my file system
[31:59.130 --> 32:01.810]  where I store my resumes when I'm applying to jobs,
[32:01.810 --> 32:03.650]  I've got a different one for everyone,
[32:03.650 --> 32:04.870]  and I name them with the date
[32:04.870 --> 32:06.730]  and the company of who I sent it to.
[32:07.280 --> 32:07.970]  Why?
[32:08.310 --> 32:10.690]  Because I need to be looking at keywords
[32:10.690 --> 32:12.830]  that appear in those job descriptions.
[32:12.830 --> 32:15.330]  What are the things that are most important to them
[32:15.330 --> 32:16.830]  in those job descriptions?
[32:16.830 --> 32:18.730]  What ranks highly in the requirements?
[32:18.730 --> 32:23.190]  And how can I work those terms into my resume?
[32:23.250 --> 32:25.910]  Not saying I have to have experience in that term
[32:25.910 --> 32:26.710]  if I don't have it,
[32:26.710 --> 32:28.490]  and we'll talk more about that in a minute,
[32:28.960 --> 32:29.930]  but at least make sure
[32:29.930 --> 32:31.690]  that you mention that keyword somewhere.
[32:31.690 --> 32:32.910]  Get it in there.
[32:33.110 --> 32:35.770]  Look for variations on that keyword as well.
[32:35.770 --> 32:37.370]  So if we think about penetration testing
[32:37.370 --> 32:38.850]  and ethical hacking, for instance,
[32:38.850 --> 32:42.270]  are two different variations that you might focus on.
[32:42.270 --> 32:45.650]  And make sure you're ticking all of those boxes.
[32:45.650 --> 32:47.570]  And sometimes those boxes,
[32:47.570 --> 32:50.730]  they can be pretty complex.
[32:50.730 --> 32:52.470]  They might include certifications.
[32:52.470 --> 32:55.130]  So I'm gonna talk to you in a second about certifications.
[32:55.210 --> 32:57.130]  But the last thing I'm gonna tell you
[32:57.130 --> 32:58.070]  with checking the boxes
[32:58.650 --> 33:02.450]  is make sure that you look at these step-by-step
[33:02.450 --> 33:03.950]  and lay them out.
[33:03.950 --> 33:06.530]  And know which ones that you wanna have in that resume
[33:06.530 --> 33:08.250]  because you need to make sure your resume touches
[33:08.250 --> 33:10.410]  all of those when you upload it to this system.
[33:10.410 --> 33:11.430]  Don't lie.
[33:11.630 --> 33:13.350]  Don't over-exaggerate.
[33:13.350 --> 33:15.450]  But make sure that you check the boxes
[33:15.450 --> 33:17.130]  that they're asking you to check.
[33:17.130 --> 33:17.730]  Now, as I said,
[33:17.730 --> 33:20.090]  one of those boxes is often the certification.
[33:20.930 --> 33:23.770]  And this is another extremely common question
[33:23.770 --> 33:26.190]  I get from people who are looking for cybersecurity jobs.
[33:26.190 --> 33:27.850]  They wanna know what cert to get.
[33:28.010 --> 33:29.130]  I love this picture.
[33:29.130 --> 33:30.850]  It was put together by someone on Reddit.
[33:30.850 --> 33:32.730]  I've got the credit down there at the bottom.
[33:32.730 --> 33:34.750]  These are all the cybersecurity related
[33:36.090 --> 33:37.690]  certifications you can get.
[33:38.110 --> 33:40.770]  And I said, CISSP is very commonly asked for.
[33:40.770 --> 33:42.150]  In fact, I did some research.
[33:42.150 --> 33:44.970]  I went through five different major job boards
[33:44.970 --> 33:47.030]  including LinkedIn and Monster.
[33:47.030 --> 33:49.370]  And I looked at what are they looking for?
[33:49.370 --> 33:52.230]  What is the most commonly asked for certification?
[33:52.270 --> 33:54.950]  Far and away, bar none, it's the CISSP.
[33:55.170 --> 33:58.430]  Now, I filtered out any jobs that were from the government
[33:58.430 --> 33:59.670]  because the government does have
[33:59.670 --> 34:00.990]  actually specific requirements
[34:00.990 --> 34:02.750]  around why they have to have CISSP.
[34:02.750 --> 34:05.810]  But more often than not, people say they want a CISSP,
[34:05.810 --> 34:08.530]  and here's the magic words, or equivalent.
[34:08.950 --> 34:11.830]  You don't have to have a CISSP to get a job.
[34:11.970 --> 34:13.890]  Just get a cert.
[34:13.890 --> 34:16.250]  Now, there's very few that as an entry-level person
[34:16.250 --> 34:17.670]  you can get, but there's a couple.
[34:17.670 --> 34:19.610]  The one that I recommend most often to people
[34:19.610 --> 34:20.670]  is look at the Security Plus
[34:21.270 --> 34:22.910]  because the Security Plus certification
[34:22.910 --> 34:24.950]  is one of the cheapest to get.
[34:25.350 --> 34:27.450]  It is attainable for anybody
[34:27.820 --> 34:31.370]  and it covers a wide breadth of security knowledge.
[34:31.370 --> 34:34.610]  It doesn't hamstring you into one specific area.
[34:34.610 --> 34:36.670]  If you go for like a CEH, well, that's very focused
[34:36.670 --> 34:38.890]  on ethical hacking and penetration testing.
[34:38.890 --> 34:40.470]  That doesn't make a lot of sense.
[34:40.470 --> 34:44.070]  If you look at the GIAC ones, the ones from SANS,
[34:44.070 --> 34:46.670]  well, one, they're super duper duper expensive,
[34:46.670 --> 34:50.450]  and two, they're very narrowly focused as well.
[34:50.450 --> 34:53.310]  So get something general, something that can apply.
[34:53.310 --> 34:54.630]  You're not looking to say,
[34:54.630 --> 34:58.130]  hey, I've got this great, wonderful certification.
[34:58.130 --> 35:00.430]  You're looking to check that box that says CISSP
[35:00.430 --> 35:01.510]  or equivalent.
[35:01.610 --> 35:03.730]  And I will tell you that having a Security Plus
[35:03.730 --> 35:06.590]  more often than not will be looked at as an equivalent.
[35:08.570 --> 35:11.350]  So you've made it past the ATS, congratulations.
[35:11.430 --> 35:14.170]  The recruiter is now looking at your resume.
[35:14.170 --> 35:16.630]  What do you, how do I get them?
[35:17.050 --> 35:18.810]  How do I get them on board?
[35:18.950 --> 35:20.470]  Well, you gotta inspire them.
[35:20.570 --> 35:21.910]  You gotta inspire that recruiter
[35:21.910 --> 35:25.990]  who's looking at thousands maybe of resumes in a week.
[35:26.030 --> 35:30.370]  You gotta inspire them to take your resume
[35:30.890 --> 35:33.430]  and pass it on to the hiring manager.
[35:33.430 --> 35:34.810]  How do you do that?
[35:34.810 --> 35:38.050]  Step one, be memorable.
[35:38.390 --> 35:40.970]  And I cannot stress this enough.
[35:40.970 --> 35:43.890]  And this goes beyond maybe having some unique formatting
[35:43.890 --> 35:46.710]  about a resume that you sent to them outside of the ATS.
[35:46.710 --> 35:49.130]  Again, don't use crazy formatting for ATS.
[35:49.850 --> 35:51.590]  Do something more.
[35:51.590 --> 35:52.650]  Be bold.
[35:53.010 --> 35:55.890]  If you don't have a blog, start writing one.
[35:56.030 --> 35:58.530]  That way you can link to your blog in your resume.
[35:58.530 --> 36:01.590]  I don't care if only five people ever read your blog.
[36:01.590 --> 36:03.690]  The fact that you wrote content and you put it out there
[36:03.690 --> 36:05.570]  immediately demonstrates, hey,
[36:05.570 --> 36:07.490]  I'm doing something in security.
[36:07.490 --> 36:08.830]  It makes you memorable.
[36:09.430 --> 36:11.350]  Create a YouTube channel and record videos
[36:11.350 --> 36:13.850]  that talk about different security concepts.
[36:14.610 --> 36:15.990]  One of my favorite stories,
[36:15.990 --> 36:17.430]  and this was actually as a hiring manager,
[36:17.430 --> 36:19.110]  this wasn't even at a recruiter level.
[36:19.110 --> 36:22.110]  I interviewed a person and then she moved on
[36:22.110 --> 36:24.770]  and she interviewed with some of the people on my team.
[36:24.770 --> 36:26.770]  And she didn't like one of the answers she gave them
[36:26.770 --> 36:28.210]  in this technical interview.
[36:28.410 --> 36:31.990]  So she immediately left that after that interview,
[36:31.990 --> 36:34.410]  went and recorded a YouTube video
[36:34.410 --> 36:38.450]  where she explained the concept in detail,
[36:38.450 --> 36:41.550]  talked about how to remediate it and so forth.
[36:41.550 --> 36:43.490]  And then she emailed that video link
[36:43.490 --> 36:45.830]  to not only the two people she interviewed with,
[36:45.830 --> 36:47.690]  but to me and the recruiter as well.
[36:48.190 --> 36:49.670]  That makes you memorable.
[36:49.670 --> 36:51.610]  That's something that stands out.
[36:51.610 --> 36:52.530]  So what I tell people,
[36:52.530 --> 36:54.410]  I borrow a phrase from a colleague of mine,
[36:54.410 --> 36:57.030]  Phil Gerboshek, who speaks all about personal branding.
[36:58.850 --> 37:00.150]  What's your weird?
[37:00.830 --> 37:03.350]  Figure out that thing about you that makes you unique.
[37:03.350 --> 37:05.390]  It may not be security related at all
[37:06.050 --> 37:08.410]  and highlight that in your resume.
[37:08.410 --> 37:09.110]  Own it.
[37:09.110 --> 37:11.770]  Something that makes you very unique from everybody else
[37:11.770 --> 37:13.450]  that, hey, I mean, for me,
[37:13.450 --> 37:15.310]  it's the fact that I bought my first computer
[37:15.310 --> 37:16.330]  when I was 12 years old.
[37:16.330 --> 37:17.090]  I was 12 years old.
[37:17.090 --> 37:19.430]  I saved up money with a paper out and I bought a computer.
[37:19.730 --> 37:21.450]  How many people do you know who did that,
[37:21.450 --> 37:23.550]  especially back in the late 80s when I grew up?
[37:23.550 --> 37:24.630]  Yes, I'm that old.
[37:24.910 --> 37:29.150]  So put those unique stories out there.
[37:29.150 --> 37:31.210]  That's the thing that when recruiters read through that,
[37:31.210 --> 37:33.570]  they see that and they're like, oh, hey, this is memorable.
[37:33.630 --> 37:35.030]  That's something that sticks in their head.
[37:35.030 --> 37:37.850]  And they're like, this is someone I want to know more about.
[37:37.850 --> 37:39.550]  And they'll get in touch with you.
[37:41.390 --> 37:43.410]  Link everything to those requirements.
[37:43.610 --> 37:45.810]  Now we talked about tailoring your resume already.
[37:45.810 --> 37:47.270]  This is that same thing.
[37:47.470 --> 37:50.670]  If you're talking to them, do the same.
[37:50.670 --> 37:52.310]  So you've gotten past maybe that resume.
[37:52.310 --> 37:55.490]  You've gotten that initial HR screening call now.
[37:56.170 --> 37:57.570]  Talk to them, but make sure everything
[37:57.570 --> 37:58.450]  that you're talking about
[37:58.450 --> 38:00.710]  that you somehow link it back to their requirements.
[38:01.370 --> 38:02.430]  And then finally, this one,
[38:02.430 --> 38:03.950]  I can't believe I have to tell you this,
[38:03.950 --> 38:06.070]  but unfortunately, as I talk to recruiters all the time,
[38:06.070 --> 38:07.790]  they tell me this is one of the biggest problems.
[38:07.830 --> 38:08.970]  Be responsive.
[38:09.230 --> 38:11.890]  If a recruiter contacts you and says,
[38:11.890 --> 38:14.510]  hey, I'd like to schedule a screening interview,
[38:15.990 --> 38:18.790]  respond back, respond back as quick as you can.
[38:18.790 --> 38:20.210]  Now, sometimes we're out on vacation,
[38:20.210 --> 38:21.910]  we're not checking emails, great,
[38:21.910 --> 38:24.530]  but make sure you're using an email that you check often
[38:24.530 --> 38:26.710]  and respond to them quickly.
[38:26.850 --> 38:28.530]  Nothing is more frustrating for a recruiter
[38:28.530 --> 38:30.310]  than when they see a candidate who they really like
[38:30.310 --> 38:31.470]  and they want to bring them in,
[38:31.470 --> 38:32.490]  and they try to get in touch with them
[38:32.490 --> 38:34.470]  and they can't get that person to return their calls
[38:34.470 --> 38:35.750]  or return their emails.
[38:36.190 --> 38:39.210]  And this is a huge problem that stands in people's way.
[38:39.650 --> 38:41.210]  So we can do better.
[38:41.910 --> 38:44.310]  Then finally, all right, so we did all that.
[38:44.310 --> 38:47.070]  The recruiter passed us on to the hiring manager.
[38:47.070 --> 38:49.530]  The hiring manager wants to know more about us.
[38:49.530 --> 38:52.290]  How do I win over the hiring manager?
[38:52.610 --> 38:54.610]  This is where things are crucial.
[38:55.450 --> 38:56.490]  First and foremost,
[38:56.490 --> 38:59.270]  this first of all is where you've got the opportunity.
[38:59.270 --> 39:00.970]  We're no longer talking about resume.
[39:00.970 --> 39:02.890]  At the point they call you in for an interview,
[39:02.890 --> 39:04.590]  it's not about your resume anymore.
[39:04.590 --> 39:06.710]  It's about you and what do you do.
[39:06.890 --> 39:09.990]  And in that survey, when I talked to hiring managers
[39:09.990 --> 39:13.410]  and the last question I asked them on the survey,
[39:13.410 --> 39:14.670]  the last question I asked was,
[39:14.670 --> 39:16.330]  what's one piece of advice you would give
[39:16.330 --> 39:19.610]  to people looking to get their first job in security?
[39:19.690 --> 39:21.490]  The single most common theme
[39:21.490 --> 39:25.290]  throughout all the thousand answers that I got,
[39:25.290 --> 39:29.550]  they all related back to passion, the vast majority.
[39:29.610 --> 39:32.510]  And you see some of the direct quotes here.
[39:32.650 --> 39:34.670]  How do you share your passion?
[39:34.830 --> 39:37.410]  Be excited about the things that you're talking about.
[39:37.410 --> 39:42.510]  If you built that blog, like I suggested, talk about it.
[39:42.510 --> 39:44.010]  That shows you have passion.
[39:44.010 --> 39:46.690]  That's something that's completely voluntary
[39:46.690 --> 39:48.530]  that you chose to do on your own.
[39:48.530 --> 39:49.810]  Or if you created a bunch of videos,
[39:49.810 --> 39:51.710]  that's something you chose to do on your own.
[39:51.710 --> 39:54.510]  If you engaged in labs and other things,
[39:54.510 --> 39:58.070]  that's all stuff that shows you have a passion for security.
[39:58.230 --> 40:00.790]  Make sure you share that when you're talking
[40:00.790 --> 40:03.070]  with the hiring manager.
[40:04.270 --> 40:05.910]  And then I'm gonna share this with you.
[40:05.910 --> 40:08.090]  So I told you I host this podcast
[40:08.090 --> 40:11.290]  and one of the people we had on was Malware Jake,
[40:11.290 --> 40:12.230]  Jake Williams.
[40:12.230 --> 40:14.670]  And he shared with us something
[40:15.080 --> 40:18.010]  that I thought was absolutely incredible advice.
[40:18.490 --> 40:21.750]  Here's how you refine your resume to sell yourself.
[40:21.930 --> 40:23.490]  First, write up a resume.
[40:23.490 --> 40:25.690]  Take what I've told you so far, create a resume.
[40:26.770 --> 40:29.310]  Then I want you to completely separately
[40:29.310 --> 40:32.230]  prepare a one to two minute elevator pitch.
[40:33.270 --> 40:35.450]  Just how are you gonna sell yourself in two minutes?
[40:35.450 --> 40:37.550]  Tell somebody why they should hire you,
[40:37.550 --> 40:38.530]  what it is that you're gonna do
[40:38.530 --> 40:39.650]  to make their business better,
[40:39.650 --> 40:40.430]  what it is that you're gonna do
[40:40.430 --> 40:42.170]  to make their department stronger.
[40:42.170 --> 40:45.230]  Now go and find those things in your resume.
[40:45.430 --> 40:49.510]  If you can't find those elements in your resume,
[40:49.510 --> 40:53.170]  get revising, figure out how you're going
[40:53.170 --> 40:55.670]  to add those elements to your resume
[40:55.670 --> 40:57.270]  to hit those things that are a part
[40:57.270 --> 40:59.290]  of what you said were most important
[40:59.290 --> 41:00.290]  because that's what you squeezed
[41:00.290 --> 41:02.530]  into that two minute elevator pitch.
[41:02.530 --> 41:04.210]  This is such a great idea.
[41:04.210 --> 41:06.010]  If you can do this with your resume,
[41:06.010 --> 41:08.070]  your resume is gonna be so much stronger.
[41:08.070 --> 41:09.810]  And then now you can carry through
[41:09.810 --> 41:11.270]  that narrative that you told
[41:11.270 --> 41:13.290]  in that one to two minute elevator pitch,
[41:13.290 --> 41:16.130]  that becomes the theme for every interview
[41:16.130 --> 41:17.930]  that you have after that.
[41:18.390 --> 41:21.810]  Make them know why it is that they wanna hire you.
[41:22.430 --> 41:25.050]  So let's go back to our barista then.
[41:25.050 --> 41:27.210]  We're gonna tie things all together here now.
[41:27.210 --> 41:30.050]  So how do I revise that resume?
[41:30.110 --> 41:33.730]  Say I'm entry level, I don't have a lot of experience.
[41:34.230 --> 41:37.990]  Well, let's understand first technical capabilities.
[41:37.990 --> 41:39.410]  And when I say technical capabilities,
[41:39.410 --> 41:40.490]  I'm talking about those things
[41:40.490 --> 41:42.470]  that ultimately show up as requirements.
[41:42.470 --> 41:45.510]  There's kind of three levels that you can have here.
[41:45.510 --> 41:46.790]  You can have knowledge.
[41:46.790 --> 41:48.650]  And knowledge is just, hey, I read a book,
[41:48.650 --> 41:52.570]  I did some training, I investigated research,
[41:52.570 --> 41:55.390]  studied this somehow, here it is.
[41:55.390 --> 41:58.250]  I have knowledge of this area.
[41:58.250 --> 42:01.250]  Sometimes for certain things, that might be all you need.
[42:01.330 --> 42:04.430]  But more often than not, people want you to have skill.
[42:04.650 --> 42:07.470]  And when I say skill, what we're referring to in skills
[42:07.470 --> 42:09.610]  is that you've actually taken that knowledge
[42:09.610 --> 42:11.370]  and applied it in some way.
[42:11.490 --> 42:14.610]  Maybe you did a lab, maybe you worked in a CTF,
[42:14.610 --> 42:17.750]  or you went to a village or some other hands-on training
[42:17.750 --> 42:20.150]  somewhere where you actually got to do application
[42:20.150 --> 42:24.770]  of that knowledge into the actual technology.
[42:24.770 --> 42:26.530]  You got to apply it somehow.
[42:26.530 --> 42:28.030]  That is a skill.
[42:28.390 --> 42:30.010]  That's, we're kind of, as you see,
[42:30.010 --> 42:31.210]  going from good, better, best here.
[42:31.210 --> 42:32.610]  So you've got knowledge and skill.
[42:32.610 --> 42:35.410]  The last one is experience.
[42:35.550 --> 42:37.270]  And this is the coup de gras, right?
[42:37.270 --> 42:40.410]  This is what employers tell us they want all the time.
[42:40.410 --> 42:42.570]  They want to know that you have experience.
[42:42.630 --> 42:44.310]  And when they say experience, they're talking about
[42:44.310 --> 42:47.330]  that you have some kind of formal documented examples
[42:48.090 --> 42:51.730]  of applying that skill in a real life,
[42:51.730 --> 42:54.110]  most often business scenario.
[42:55.350 --> 42:57.570]  So understanding, making an inventory
[42:57.570 --> 43:00.230]  of your capabilities technically,
[43:00.230 --> 43:03.410]  and understanding are they knowledge, are they skills,
[43:03.410 --> 43:05.990]  and are they experience, and to what level of each
[43:05.990 --> 43:07.310]  is so crucial.
[43:07.310 --> 43:08.990]  This is back to working on you again
[43:08.990 --> 43:11.150]  and talking about how you can be better.
[43:12.170 --> 43:13.850]  And then finally, I want to talk about this idea
[43:13.850 --> 43:14.770]  of core skills.
[43:14.770 --> 43:17.010]  So now that you know what those capabilities are,
[43:17.010 --> 43:19.690]  your core skills are the transferable elements
[43:19.690 --> 43:22.710]  of those that you can take from one capability
[43:22.710 --> 43:26.450]  and apply it to any capability in any technology anywhere.
[43:26.610 --> 43:28.470]  So if I look at my barista, they start off with,
[43:28.470 --> 43:29.930]  well, they make coffee beverages.
[43:30.790 --> 43:33.530]  Well, really, if I break that down,
[43:33.530 --> 43:34.910]  here's a lot of the steps they did.
[43:34.910 --> 43:37.990]  They received orders, they prepared according to recipes,
[43:37.990 --> 43:39.210]  they delivered on the customers
[43:39.210 --> 43:40.850]  and they had to clean the equipment.
[43:40.930 --> 43:43.090]  But that's still shades of a barista.
[43:43.090 --> 43:44.690]  So how do I take it further?
[43:45.130 --> 43:46.990]  They processed multiple inputs.
[43:46.990 --> 43:49.090]  They translated inputs into tasks
[43:49.090 --> 43:52.030]  and prioritize them for maximum efficiency.
[43:52.210 --> 43:54.870]  And they were always focused on efficient delivery
[43:54.870 --> 43:55.990]  to the customer.
[43:55.990 --> 43:56.790]  And throughout all that,
[43:56.790 --> 43:59.130]  they had to plan and execute maintenance activities.
[43:59.150 --> 44:03.030]  These are general words that can apply to any job anywhere.
[44:03.030 --> 44:07.230]  And when you can now take and view your skills in that light,
[44:07.230 --> 44:09.950]  you can take those requirements that they're asking for,
[44:09.950 --> 44:13.390]  understand the core skills behind those,
[44:13.390 --> 44:17.150]  take your own core skills, tie them together.
[44:17.150 --> 44:20.830]  And now you can see how you can easily word your resume
[44:20.830 --> 44:23.050]  to highlight the skills and experiences
[44:23.050 --> 44:24.730]  that you have from your job
[44:25.150 --> 44:30.550]  to fit into that job that you are applying for.
[44:30.550 --> 44:34.690]  And this is where the rubber really meets the road.
[44:34.790 --> 44:39.350]  How do you take that simple role as a barista
[44:40.530 --> 44:44.630]  where it seems so completely unconnected?
[44:44.630 --> 44:47.010]  And this is literally what I told that manager
[44:47.010 --> 44:48.370]  when he was complaining to me.
[44:48.370 --> 44:51.770]  I said, didn't they absorb all of this input
[44:51.770 --> 44:54.450]  from all these different areas and process it?
[44:54.630 --> 44:56.350]  Didn't they have to focus
[44:56.870 --> 44:59.490]  on how they were going to arrange those?
[45:00.150 --> 45:01.850]  And do it in an efficient manner
[45:01.850 --> 45:03.670]  so they could be most effective?
[45:03.770 --> 45:05.670]  Weren't they always focused on customers
[45:05.670 --> 45:08.590]  and the customer was what was most important?
[45:08.590 --> 45:10.070]  And yet throughout all of that,
[45:10.070 --> 45:13.130]  they had to plan and execute maintenance activities.
[45:13.570 --> 45:14.810]  And he started to look at me.
[45:14.810 --> 45:17.310]  I said, isn't that exactly what you want
[45:17.310 --> 45:19.790]  your SOC analysts to be able to do?
[45:20.370 --> 45:22.470]  That barista would be perfectly qualified
[45:22.470 --> 45:24.450]  to be a SOC analyst in light of the fact
[45:24.450 --> 45:28.030]  that they have the other knowledge that you asked for.
[45:28.030 --> 45:29.670]  They may not have the experience,
[45:29.670 --> 45:31.330]  but they have the knowledge.
[45:31.450 --> 45:34.310]  So look to highlight these on your resume,
[45:34.310 --> 45:37.330]  in your discussions, in those interviews,
[45:37.330 --> 45:41.110]  as you're blogging, as you're making videos,
[45:41.110 --> 45:43.070]  tie these things together.
[45:43.130 --> 45:44.470]  And then last, I'm going to leave you
[45:44.470 --> 45:46.570]  with this quote from Ella Fitzgerald.
[45:47.310 --> 45:48.970]  Just don't give up.
[45:48.970 --> 45:51.570]  Whatever it is, don't give up.
[45:51.690 --> 45:52.810]  This is tough.
[45:52.810 --> 45:55.330]  I'm not going to say the security industry is perfect.
[45:55.330 --> 45:57.730]  We've got a lot of work to do
[45:57.730 --> 46:00.150]  from the industry side to make things better
[46:00.150 --> 46:02.970]  for those that we're trying to bring into the industry.
[46:03.170 --> 46:05.510]  Keep working, use your network,
[46:05.510 --> 46:07.290]  find mentors who can help you,
[46:07.290 --> 46:10.390]  leverage your connections and foster those relationships
[46:10.390 --> 46:12.510]  because they're going to help you get there.
[46:13.230 --> 46:16.230]  So finally, I can be one of those people for you.
[46:16.230 --> 46:17.270]  And I'm always happy to.
[46:17.270 --> 46:19.090]  Find me on social media.
[46:19.090 --> 46:21.970]  You've got my Twitter handle, my LinkedIn address there.
[46:21.970 --> 46:23.330]  You've also got the link to my website,
[46:23.330 --> 46:26.670]  which includes my blog and lots of other information.
[46:26.670 --> 46:30.750]  So please continue, reach out to me, reach out to others.
[46:30.750 --> 46:33.990]  If I can't help you, I will find somebody to connect you with,
[46:33.990 --> 46:37.150]  or I will put the call out to the world and to my network
[46:37.150 --> 46:40.110]  and find you somebody who can help you with what you need.
[46:41.030 --> 46:43.590]  So with that, I want to say thank you so much
[46:43.590 --> 46:45.650]  to everybody who's attended today.
[46:45.650 --> 46:48.750]  Thank you, Sneak, my employer, for allowing me to be here today.
[46:48.750 --> 46:51.890]  Thank you to DEF CON and the DEF CON Career Hacking Village.
[46:51.890 --> 46:55.230]  I'm so excited to be a part of the inaugural version of this.
[46:55.230 --> 46:56.790]  That is so cool.
[46:56.790 --> 47:00.250]  And I hope you all enjoy the rest of the conference.
[47:00.250 --> 47:02.070]  I know it's a weird world out there.
[47:02.070 --> 47:04.270]  We'll get back to the real thing soon enough.
[47:04.270 --> 47:06.850]  But enjoy this virtual experience and make the most of it.
[47:06.850 --> 47:09.810]  This is where you're going to learn so many things.
[47:09.810 --> 47:11.530]  And I hope to see you soon.
[47:12.830 --> 47:17.210]  That was just absolutely, excuse me, absolutely awesome.
[47:17.210 --> 47:21.890]  I hope you saw me doing thumbs up and being excited.
[47:22.090 --> 47:24.610]  And yes, you hit so many points.
[47:24.610 --> 47:27.310]  20 years in the recruitment industry.
[47:27.310 --> 47:32.110]  And I am so glad you pointed everything out, listed some of the key things,
[47:32.110 --> 47:35.530]  listed a lot of the key things that job seekers really need,
[47:35.530 --> 47:39.070]  and sort of gave a little bit of a backslap to those
[47:39.750 --> 47:42.710]  employers who really need to change their jobs descriptions.
[47:42.710 --> 47:45.430]  That's something I've been trying to do for 20 years.
[47:45.430 --> 47:48.070]  And I think it will take all of us to do that.
[47:48.070 --> 47:52.850]  Alyssa, thank you so much for all of your great input, for doing the great survey.
[47:52.850 --> 47:56.210]  I know that you've also made yourself available for career coaching
[47:56.210 --> 47:59.590]  through The Village, and we really appreciate that.
[47:59.590 --> 48:02.850]  So definitely connect with Alyssa.
[48:02.910 --> 48:06.090]  And we will be back with another session shortly.
[48:06.090 --> 48:06.890]  Bye-bye.
